WO2015018200A1 - Method and apparatus for upgrading detection engine in firewall device - Google Patents

Method and apparatus for upgrading detection engine in firewall device Download PDF

Info

Publication number
WO2015018200A1
WO2015018200A1 PCT/CN2014/072541 CN2014072541W WO2015018200A1 WO 2015018200 A1 WO2015018200 A1 WO 2015018200A1 CN 2014072541 W CN2014072541 W CN 2014072541W WO 2015018200 A1 WO2015018200 A1 WO 2015018200A1
Authority
WO
WIPO (PCT)
Prior art keywords
session
functional component
version
new version
detection engine
Prior art date
Application number
PCT/CN2014/072541
Other languages
French (fr)
Chinese (zh)
Inventor
李世光
蒋武
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Publication of WO2015018200A1 publication Critical patent/WO2015018200A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/34Network arrangements or protocols for supporting network services or applications involving the movement of software or configuration parameters 

Definitions

  • the embodiments of the present invention relate to network technologies, and in particular, to a method and an apparatus for upgrading a detection engine in a firewall device.
  • BACKGROUND A basic requirement of a gateway device is the reliability of the device operation. For example, user traffic is not interrupted by the upgrade of the software version, and the user's service is not affected.
  • gateway devices such as Next Generation Firewall (NGFW)
  • NGFW Next Generation Firewall
  • IPS intrusion prevention and removal systems
  • AV Anti-Virus
  • URL Uniform Resource Locator
  • DLP Data Leak Prevention
  • the threat of attacks against application layer services also changes rapidly.
  • the components on the NGFW device that detect the above threats such as the threat signature database or the detection engine, can be upgraded in a timely manner.
  • the new detection engine replaces the old detection engine, and the old detection engine will not be available after the upgrade succeeds; the other is that after the new detection engine is successfully loaded, the new detection engine is running.
  • the old detection engine is still used, that is, for a long period of time, multiple detection engines are running simultaneously in the NGFW device.
  • the embodiments of the present invention provide a detection engine upgrade processing method and apparatus, which are used to reduce the missed detection problem caused by the detection engine upgrade in the prior art.
  • an embodiment of the present invention provides a method for upgrading a detection engine in a firewall device, including: generating a new version of a first functional component according to a software upgrade data packet of a detection engine, and operating the detection engine in the detection engine a first functional component of the new version, configured to detect the first session by using the first functional component of the new version, where the first session refers to running the new functional version of the first functional component with the firewall a newly established session of the device;
  • the first function component of the old version is used to detect subsequent messages of the second session until all the second sessions are aged, and the second session refers to running the The session of the new version of the first functional component has been established with the firewall device;
  • the method further includes:
  • the first functional component of the new version is used for detection; if the packet belongs to the second session, the first functional component of the old version is used for detection.
  • a second implementation manner of the first aspect if there is at least one second session, using the first functional component of the old version to follow the second session The message is detected until all the second sessions are aged, and includes:
  • a correspondence between the first functional component of the old version, the second session, and the session state of the second session is established and stored for determining whether all of the second sessions are aged.
  • the method further includes:
  • the session state of the session to which the message belongs is set to an aging state in the corresponding relationship.
  • the method further includes:
  • the software upgrade data package further includes an upgrade data package of the at least one second function component, generating a new version of the second function component, and running the new version of the second function component in the detection engine.
  • an embodiment of the present invention provides an apparatus for upgrading a detection engine in a firewall device, including:
  • a installing module configured to generate a new version of the first functional component according to the software upgrade data package of the detection engine, and run the new version of the first functional component in the detection engine;
  • a detecting module configured to detect, by using the new functional component of the new version generated and run by the installation module, the first session refers to running the first functional component of the new version a newly established session of the firewall device;
  • the detecting module is further configured to: if there is at least one second session, use a first functional component of the old version to detect subsequent packets of the second session, until all the second sessions are aged,
  • the second session refers to a session that has been established with the firewall device when the first functional component of the new version is run;
  • the destroying module is configured to, according to the triggering of the detecting module, destroy the first functional component of the old version after all the second sessions are aging.
  • the device further includes: a receiving module, configured to receive a packet, and determine, according to a packet header of the packet, that the packet belongs to the first a message of one session, or a message belonging to the second session;
  • the detecting module is further configured to: if the packet belongs to the first session, apply the first functional component of the new version for detection; if the packet belongs to the second session, apply the old version The first functional component is tested.
  • the device further includes:
  • a storage module configured to establish and store a correspondence between the first functional component of the old version, the second session, and the session state of the second session, for the detecting module to Whether the second session is aging or not.
  • the storage module is further configured to:
  • the session to which the message belongs is the second session, the session of the session belongs to the "3 ⁇ 4 text" in the corresponding relationship.
  • the session state is set to the aging state.
  • the installing module is further configured to:
  • the software upgrade data package further includes an upgrade data package of the at least one second function component, generating a new version of the second function component, and running the new version of the second function component in the detection engine.
  • the method and device for upgrading a detection engine in a firewall device by generating a new version of the first functional component according to the software upgrade data packet of the detection engine, and running the first function of the new version in the detection engine a component, configured to detect, by using the new functional version of the first functional component, the first session is a session newly established with the firewall device after running the new functional component of the new version; If there is at least one second session, the subsequent message of the second session is detected by using the first functional component of the old version until all the second sessions are aged, and the second session refers to running the new session.
  • the first functional component of the version has been established with the firewall device; after all the second sessions are aged, the first functional component of the old version is destroyed, because only the corresponding functional component that needs to be upgraded is upgraded. Not the entire detection engine is upgraded, and the old session will be detected after all the second sessions are aged The functional components are destroyed, and the resource consumption is small and the upgrade efficiency is high compared with the prior art update of the entire detection engine.
  • the smooth upgrade of the various functional components of the detection engine on the next-generation firewall and the existing service traffic are realized. The security check is not affected.
  • FIG. 1 is a flowchart of Embodiment 1 of a method for upgrading a detection engine in a firewall device according to the present invention
  • FIG. 2 is a schematic diagram of an application scenario of Embodiment 1 of a method for upgrading a detection engine in a firewall device according to the present invention
  • FIG. 3 is a schematic diagram 1 of a functional component upgrade state in Embodiment 1 of a method for upgrading a detection engine in a firewall device according to the present invention
  • FIG. 4 is a second schematic diagram of a functional component upgrade state according to Embodiment 1 of a method for upgrading a detection engine in a firewall device according to the present invention
  • FIG. 5 is a third schematic diagram of a functional component upgrade state according to Embodiment 1 of a method for upgrading a detection engine in a firewall device according to the present invention
  • FIG. 6 is a schematic structural diagram of Embodiment 1 of a device for upgrading a detection engine in a firewall device according to the present invention
  • FIG. 7 is a schematic structural diagram of Embodiment 2 of a device for upgrading a detection engine in a firewall device according to the present invention
  • FIG. 1 is a flowchart of Embodiment 1 of a method for upgrading a detection engine in a firewall device according to the present invention.
  • FIG. 2 is a schematic diagram of an application scenario of a method for upgrading a detection engine in a firewall device according to the present invention
  • FIG. 3 is a schematic diagram of a firewall device in the present invention.
  • FIG. 4 is a schematic diagram of a functional component upgrade state of a first embodiment of a method for upgrading a detection engine in a firewall device according to the present invention.
  • FIG. FIG. 3 is a schematic diagram of the upgrade status of the functional component in the first embodiment of the upgrade method.
  • the execution body of this embodiment is an upgrade device of the detection engine in the firewall device, and the device can be implemented by software and/or hardware.
  • the solution of this embodiment is applied to a network access device or a network switching device, such as a gateway device, a firewall, and an NGFW.
  • the method in this embodiment may include:
  • Step 101 Generate a new version of the first functional group according to the software upgrade data packet of the detection engine. And running a new version of the first functional component in the detection engine to detect the first session using the first functional component of the new version, the first session refers to running the new functional version of the first functional component with the firewall device Newly established session.
  • the upgrade device of the detection engine in the firewall device of the embodiment may be set in the NGFW, and the NGFW is mainly deployed on the Internet egress and the office network egress to protect the user host of the server and the office network.
  • NGFW Based on application identification, NGFW performs security detection on application layer traffic in the network, such as IPS detection, AV detection, and URL filtering.
  • An upgrade server is deployed in the network.
  • the upgrade server or the NGFW has a software upgrade packet of a new version of the function component of the detection engine, such as an IPS function component
  • the detection device of the detection engine detects a functional component in the detection engine, such as If the IPS function component or the AV function component needs to be upgraded, a new version of the first functional component is generated according to the detection engine software upgrade data package, and a new version of the first functional component is run in the detection engine to use the new version.
  • the first functional component detects the first session, and the first session refers to a newly established session with the firewall device after running the first functional component of the new version, if the first functional component of the new version, such as the AV functional component, corresponds to
  • the new signature library also loads updates, such as information including multiple viruses.
  • the detection of the upgrade of the function component can be triggered periodically.
  • the upgrade server and the NGFW communication can obtain the version status of each function component of the detection engine in the NGFW in real time, and compare with the version status in the upgrade server to learn whether to upgrade, or If the upgrade server does not communicate with the NGFW, you can manually download the software upgrade package to the NGFW.
  • the upgrade component in the NGFW determines whether the upgrade is required. If multiple functional components need to be upgraded at the same time, each functional component can be upgraded simultaneously or sequentially, that is, after one functional component is upgraded, the next functional component is upgraded.
  • Step 102 If there is at least one second session, use the first functional component of the old version to detect subsequent messages of the second session until all the second sessions are aged, and the second session refers to running the first version of the new version.
  • a functional component has been established with a firewall device.
  • the second session is a session established with the firewall device when running the first functional component of the new version, such as session 1, the first functional component of the old version, such as the IPS functional component version, is used.
  • the security detection is performed on the subsequent packets of the second session, and the subsequent packets in the second session are the packets that belong to the second session after the first functional component of the new version is run, due to the AV function.
  • the component is not upgraded.
  • the session 1 packet is protected by the IPS function component version 1. After full detection, it is sent to the AV function component version 1 for security detection; if the first session is a newly established session with the firewall device after running the first version of the new functional component, such as session 2, the first functional component of the new version is used.
  • the IPS function component version 2 performs security detection on the first session. As shown in FIG. 4, if the AV function component is upgraded to generate a new version 2 and is already running in the detection engine before being sent to the AV function component, the session 2 The message will be checked using the new version of the function component AV function component version 2, as shown in Figure 3. If the AV function component is not upgraded, continue to use the AV function component version 1 for security detection.
  • application identification is performed, that is, application identification is performed on the received message to find a corresponding functional component for security detection.
  • Figure 3 shows the IPS function component and the AV function component as examples.
  • the actual application can include more functional components, such as URL filtering function components and DLP function components.
  • the corresponding actions are performed according to the result of the security check, such as blocking, alarm, log, release, and the like.
  • Step 103 After all the second sessions are aged, destroy the first functional component of the old version.
  • the functional component of the old version of the detection engine used by the session 1 is destroyed.
  • the IPS function component version 1 and session 2 continue to use the IPS function component version 2 and the AV function component version 1 for security detection.
  • the aging refers to a transmission control protocol (TCP) connection.
  • TCP transmission control protocol
  • FIN or connection reset RST message If the upgrade device of the subsequent detection engine detects that the IPS function component in the detection engine needs to be upgraded again, a new version of the first functional component, such as the IPS function component version 3, is generated in the detection engine according to the obtained software upgrade data packet. And run this function component.
  • the newly established session 3 uses the new IPS function component version 3 and the AV function component version 2 for security detection.
  • session 2 ages (and no other session uses IPS function component version 2 and AV function)
  • the component version 1 is detected.
  • the IPS function component version 2 and the AV function component version 1 in the detection engine used by the session 2 are destroyed.
  • first and second in the first functional component, the second functional component, the first session, and the second session in this embodiment are not meant to represent a sequential relationship, but to distinguish different functional components and sessions,
  • the first, second, etc. mentioned in the file are also used to distinguish between different components, versions, sessions, and so on.
  • a new version of the first functional component is generated according to the software upgrade data packet of the detection engine, and the new functional version of the first functional component is used in the detection engine for use.
  • the first functional component of the new version detects the first session, where the first session refers to a session newly established with the firewall device after running the new functional component of the new version; if there is at least one second In the session, the first function component of the old version is used to detect subsequent messages of the second session until all the second sessions are aged, and the second session refers to running the first function of the new version.
  • the component has been established with the firewall device; after all the second sessions are aged, the first functional component of the old version is destroyed, because only the corresponding functional component that needs to be upgraded is upgraded instead of the entire detection engine.
  • the upgrade is performed, and after all the second sessions are aged, the functional components of the old version that detect the second session are destroyed, the resource occupation is small, and the upgrade efficiency is high, and the functions of the detection engine on the next-generation firewall are implemented.
  • the smooth upgrade of components and the security detection of existing traffic are not affected.
  • the method may further include:
  • the first functional component of the new version is applied for detection; if the packet belongs to the second session, the first functional component of the old version is used for detection.
  • the NGFW receives the packet, and determines, according to the packet header of the packet, the packet that belongs to the first session, such as session 2, or the packet that belongs to the second session, such as session 1. If the session is in the session 2, the first function component of the new version, such as the IPS function component version 2, is applied. If the second session is the session 1, the first functional component of the old version, such as the IPS function, is applied. Component version 1 is tested.
  • the subsequent function of the second session is detected by using the first functional component of the old version, until all the second sessions are aged, before the embodiment is
  • the method also includes:
  • the correspondence between the first version of the first functional component, the first session, and the session state of the first session may be established and stored, so that when the first functional component is upgraded again, Whether a session is aging or not.
  • IPS function component version 1 and AV function component version 1, session 1 and session 1 session state correspondence IPS function component version 2 and AV function component version 1, session 2 and session 2 session state correspondence Relationship, as shown in Figure 4, the correspondence between Session 2 and IPS function component version 2 and AV function component version 2, as shown in Table 1, for judging whether all sessions are aging, it is convenient to judge whether each functional component is destroyed.
  • Table 1 which version of the functional component of the subsequent message of the session is used for security detection, as shown in Table 1, the first column represents the correspondence number, the second column represents the functional component version, the third column represents the session, and the fourth column represents the session state. .
  • the method may further include:
  • the session state is set to the aging state.
  • the session state of the session to which the message belongs is set to an aging state in the corresponding relationship.
  • the corresponding relationship corresponding to the session 1 is The session state in 2 is set to the aging state. If no other sessions are detected using the IPS function component version 1, all the sessions detected by using the IPS function component version 1 are aged, so the IPS function component version is used. 1 Destroy, the packets of the newly established session are detected by the IPS function component version 2 and the AV function component version 1. Further, the method may further include:
  • the software upgrade package further includes an upgrade package of at least one second functional component, a new version of the second functional component is generated, and a new version of the second functional component is run in the detection engine.
  • the software upgrade data package further includes an upgrade data package of the at least one second function component, such as an upgrade data package including the IPS function component and the AV function component, generating a new version of the first function component, such as an IPS function component. Version 2 and generating a new version of the second functional component such as the AV function component version 2, and running the new version of the second functional component in the detection engine; if the software upgrade package also includes the upgrade package of the two second functional components For example, the AV function component and the upgrade package of the DLP function component generate two new versions of the second function component such as the AV function component version 2 and the DLP function component version 2.
  • the correspondence between the first version of the first functional component, the first session, and the session state of the first session is established and stored, so as to determine whether all the first sessions are aged, and establish and store the old Corresponding relationship between the first functional component of the version, the second session, and the session state of the second session, for judging whether all of the second sessions are aging; receiving the packet, determining the packet according to the packet header of the packet If the packet belongs to the first session, the packet belongs to the first session, and if the packet belongs to the second session, the first function component of the new session is used for detecting, and if the packet belongs to the second session, the old application is applied. The first functional component of the version is detected.
  • the session state of the session to which the message belongs is set to an aging state, and at least one of the software upgrade data packets is included.
  • the upgrade package of the second functional component generates a new version of the second functional component, and runs a new version of the second functional component in the detection engine. Source occupy a smaller, high-efficiency upgrade, to achieve a smooth upgrade safety testing and has not affected the various functional components of the detection engine on a next-generation firewall traffic flow.
  • FIG. 6 is a schematic structural diagram of Embodiment 1 of an apparatus for upgrading a detection engine in a firewall device according to the present invention.
  • the apparatus 50 of this embodiment may include: an installation module 501, a detection module 502, and a destruction module 503, where The module 501 is configured to generate a new version of the first functional component according to the software upgrade data package of the detection engine, and run the new version of the first functional component in the detection engine; the detection module 502 is configured to use the The first functional component of the new version generated and executed by the installation module 501 detects the first session, where the first session refers to a newly established session with the firewall device after running the new functional component of the new version.
  • the detecting module 502 is further configured to: if there is at least one second session, use the first functional component of the old version to the second session The subsequent message of the voice is detected until all the second sessions are aged, and the second session refers to a session that has been established with the firewall device when the first functional component of the new version is run; According to the triggering of the detecting module 502, after all the second sessions are aged, the first functional component of the old version is destroyed.
  • the device in this embodiment can be used to implement the technical solution of the method embodiment shown in FIG. 1.
  • the principle and the technical effect are similar, and details are not described herein again.
  • FIG. 7 is a schematic structural diagram of Embodiment 2 of a device for upgrading a detection engine in a firewall device according to the present invention.
  • the device 50 of the present embodiment may further include:
  • the receiving module 504 is configured to receive a packet, and determine, according to the packet header of the packet, the packet that belongs to the first session or the packet that belongs to the second session.
  • the detecting module 502 is further configured to: if the packet belongs to the first session, apply the first functional component of the new version for detection; if the packet belongs to the second session, apply the old version The first functional component is tested.
  • apparatus of this embodiment may further include:
  • a storage module 505 configured to establish and store a correspondence between the first functional component of the old version, the second session, and the session state of the second session, for the detection module to Whether the second session is aging or not is judged.
  • the storage module 505 is further configured to establish and store a correspondence between the first functional component of the old version, the first session, and the session state of the first session, for the detection module to Whether all of the first sessions are aged or not is judged.
  • the storage module 505 is further configured to:
  • the storage module 505 stores In the corresponding relationship, the session state of the session to which the message belongs is set to an aging state.
  • the storage module 505 is further configured to:
  • the storage is stored in the storage module 505.
  • the session state of the session to which the message belongs is set to an aging state.
  • the installation module 501 is further configured to:
  • the software upgrade data package further includes an upgrade data packet of at least one second functional component
  • a new version of the second functional component is then generated and the new version of the second functional component is run in the detection engine.
  • the device in this embodiment may be used to implement the technical solution in the second embodiment of the method, and the implementation principle and the technical effect are similar, and details are not described herein again.
  • FIG. 8 is a schematic structural diagram of Embodiment 1 of an upgrade device of a detection engine according to the present invention.
  • the upgrade device 70 of the detection engine provided in this embodiment includes a bus 701, a receiver 702, a processor 703, and a memory 704.
  • the bus 701 is used to connect the receiver 702, the processor 703 and the memory 704, and to transmit information; the receiver 702 is configured to receive the message, and the memory 704 stores the execution instruction.
  • the processor 703 In communication with the memory 704, the processor 703 runs the code stored in the memory 704 and performs the following operations:
  • the first function component of the old version is used to detect subsequent messages of the second session until all the second sessions are aged, and the second session refers to running the The session of the new version of the first functional component has been established with the firewall device;
  • the subsequent function of the second session is detected by using the first functional component of the old version, until the storage of all the second sessions is before the memory 704 Also used for:
  • a correspondence between the first functional component of the old version, the second session, and the session state of the second session is established and stored for determining whether all of the second sessions are aged.
  • the memory 704 is further configured to establish and store a correspondence between the first version of the first functional component, the first session, and the session state of the first session, for performing aging on all of the first sessions.
  • the processor 703 is further configured to determine, according to the packet header of the packet of the receiver 702, the packet that the packet belongs to the first session, or the packet that belongs to the second session. If the packet belongs to the first session, the first functional component of the new version is applied for detection; and if the packet belongs to the second session, the first functional component of the old version is applied. Check Measurement.
  • the processor 703 is further configured to: when the flag of the message received by the receiver 702 is an end connection FIN or a connection reset RST, if the message belongs to the session In the second session, the session state of the session to which the message belongs is set to an aging state in the corresponding relationship.
  • processor 703 is further configured to:
  • the session to which the message belongs is the first session, in the corresponding relationship
  • the session state of the session to which the packet belongs is set to an aging state.
  • processor 703 is further configured to:
  • the software upgrade data package further includes an upgrade data package of the at least one second function component, generating a new version of the second function component, and running the new version of the second function component in the detection engine.
  • the device in this embodiment may be used to implement the technical solution of the method embodiment, and the implementation principle and the technical effect are similar, and details are not described herein again.
  • the disclosed apparatus and method may be implemented in other manners.
  • the device embodiments described above are merely illustrative.
  • the division of the unit is only a logical function division.
  • there may be another division manner for example, multiple units or components may be combined or Can be integrated into another system, or some features can be ignored, or not executed.
  • the mutual coupling or direct coupling or communication connection shown or discussed may be an indirect coupling or communication connection through some interface, device or unit, and may be electrical, mechanical or otherwise.
  • the units described as separate components may or may not be physically separate, and the components displayed as units may or may not be physical units, that is, may be located in one place, or may be distributed to multiple network units. Some or all of the units may be selected according to actual needs to achieve the objectives of the solution of the embodiment.
  • each functional unit in each embodiment of the present invention may be integrated into one processing unit, or each unit may exist physically separately, or two or more units may be integrated into one unit.
  • the above integrated unit can be implemented in the form of hardware or in the form of hardware plus software functional units.
  • the above integrated unit implemented in the form of a software functional unit can be stored in a computer Readable in storage media.
  • the software functional unit is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) or a processor to perform the method of various embodiments of the present invention. Part of the steps.
  • the foregoing storage medium includes: a U disk, a mobile hard disk, a read-only memory (ROM), a random access memory (RAM), a magnetic disk, or an optical disk, and the like, which can store program code. .

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

Embodiments of the present invention provide a method and an apparatus for upgrading a detection engine in a firewall device. The method for upgrading a detection engine in a firewall device comprises: generating a first functional component in a new version according to a software upgrade data packet of the detection engine, and running the first functional component in the new version in the detection engine, so as to detect a first conversation by using the first functional component in the new version; if there is at least one second conversation, detecting a subsequent packet of the second conversation by using a first functional component in an old version until the second conversation ages; and after all second conversations age, destroying the first functional component in the old version. In the embodiments of the present invention, only a functional component needing upgrade is upgraded, and after a conversation ages, a functional component used for detecting the conversation is destroyed, so that resource occupation is small, upgrade efficiency is high, and security detection for existing service traffic is not affected.

Description

防火墙设备中检测引擎的升级方法及装置 本申请要求于 2013 年 8 月 8 日提交中国专利局、 申请号为 201310344399.0、 发明名称为 "防火墙设备中检测引擎的升级方法及装置" 的 中国专利申请的优先权, 其全部内容通过引用结合在本申请中。 技术领域  Method and device for detecting engine in firewall device This application claims to be filed on August 8, 2013 in the Chinese Patent Office, the application number is 201310344399.0, and the invention is entitled "Augmentation Method and Device for Detection Engine in Firewall Equipment" Priority is hereby incorporated by reference in its entirety. Technical field
本发明实施例涉及网络技术, 尤其涉及一种防火墙设备中检测引擎的升 级方法及装置。  The embodiments of the present invention relate to network technologies, and in particular, to a method and an apparatus for upgrading a detection engine in a firewall device.
背景技术 网关设备的一个基本要求是设备工作的可靠性, 例如用户流量不因软件版 本的升级而中断, 用户的业务不受影响。 对下一代防火墙(Next Generation Firewall, 简称 NGFW )这种网关设备来说, 需要有更高的要求。 NGFW不仅 有传统防火墙的基本转发控制功能, 还有基于应用、 用户等策略控制, 并且 根据特定的策略对流经该设备的应用层流量做安全检测, 这些安全检测包括 入侵防 4卸系统 ( Intrusion Prevention System, 简称 IPS )、 反病毒 ( Anti- Virus, 简称 AV )、 统一资源定位符(Uniform Resource Locator, 简称 URL )过滤、 数据泄漏防护 ( Data Leak Prevention, 简称 DLP )等。 BACKGROUND A basic requirement of a gateway device is the reliability of the device operation. For example, user traffic is not interrupted by the upgrade of the software version, and the user's service is not affected. For gateway devices such as Next Generation Firewall (NGFW), higher requirements are required. NGFW not only has basic forwarding control functions of traditional firewalls, but also policy control based on applications and users, and performs security detection on application layer traffic flowing through the device according to specific policies. These security detections include intrusion prevention and removal systems (Intrusion Prevention). System, referred to as IPS), Anti-Virus (AV), Uniform Resource Locator (URL) filtering, Data Leak Prevention (DLP), etc.
由于网络上应用层流量的内容变化很快, 针对应用层业务的攻击威胁同 样变化很快。 为了能够对这些变化的威胁进行及时检测, 就需要保证 NGFW 设备上用以检测上述威胁的组件, 比如威胁特征库或者检测引擎, 能够及时 进行升级。 现有技术中的升级方式, 一种是新的检测引擎替换旧的检测引擎, 升级成功后旧的检测引擎将不可用; 另一种是新的检测引擎成功加载后, 在 运行新的检测引擎时仍然继续使用旧的检测引擎, 也就是在相当长的一段时 间内, NGFW设备中同时运行多种检测引擎。  As the content of application layer traffic on the network changes rapidly, the threat of attacks against application layer services also changes rapidly. In order to be able to detect these threats in a timely manner, it is necessary to ensure that the components on the NGFW device that detect the above threats, such as the threat signature database or the detection engine, can be upgraded in a timely manner. In the prior art, one is that the new detection engine replaces the old detection engine, and the old detection engine will not be available after the upgrade succeeds; the other is that after the new detection engine is successfully loaded, the new detection engine is running. The old detection engine is still used, that is, for a long period of time, multiple detection engines are running simultaneously in the NGFW device.
上述第一种方式, 由于升级完成后旧的检测引擎不可用, 那么为了保证 流经 NGFW设备的流量不受影响, 就需要对升级之前已经建立的会话的后续 报文流量做通过( bypass )处理, 实际上对这部分流量的应用层检测已经失效, 此时如果发生攻击, 则 NGFW设备无法检测出来会造成漏检; 第二种方式, 同时运行多份检测引擎, 对 NGFW设备的处理资源的消耗很大, 影响效率。 发明内容 本发明实施例提供一种检测引擎升级处理方法及装置, 用以减少现有技 术中由于检测引擎升级导致的漏检问题。 In the first mode, after the upgrade is complete, the old detection engine is unavailable. To ensure that the traffic flowing through the NGFW device is not affected, the subsequent packet traffic of the session established before the upgrade needs to be bypassed. In fact, the application layer detection for this part of the traffic has expired. If an attack occurs, the NGFW device cannot detect the missed detection. In the second mode, multiple detection engines are running at the same time. The processing resources of the NGFW device are consumed greatly, which affects the efficiency. SUMMARY OF THE INVENTION The embodiments of the present invention provide a detection engine upgrade processing method and apparatus, which are used to reduce the missed detection problem caused by the detection engine upgrade in the prior art.
第一方面, 本发明实施例提供一种防火墙设备中检测引擎的升级处理方 法, 包括: 根据检测引擎的软件升级数据包生成一个新版本的第一功能组件, 并在所述检测引擎中运行所述新版本的第一功能组件, 用以使用所述新版本 的第一功能组件对第一会话进行检测, 所述第一会话是指运行所述新版本的 第一功能组件后与所述防火墙设备新建立的会话;  In a first aspect, an embodiment of the present invention provides a method for upgrading a detection engine in a firewall device, including: generating a new version of a first functional component according to a software upgrade data packet of a detection engine, and operating the detection engine in the detection engine a first functional component of the new version, configured to detect the first session by using the first functional component of the new version, where the first session refers to running the new functional version of the first functional component with the firewall a newly established session of the device;
若存在至少一个第二会话 , 则使用旧版本的第一功能组件对所述第二会 话的后续报文进行检测, 直到所有所述第二会话老化为止, 所述第二会话是 指运行所述新版本的第一功能组件时已与所述防火墙设备建立的会话;  If there is at least one second session, the first function component of the old version is used to detect subsequent messages of the second session until all the second sessions are aged, and the second session refers to running the The session of the new version of the first functional component has been established with the firewall device;
在所有所述第二会话老化后, 销毁所述旧版本的第一功能组件。  After all the second sessions are aged, the first functional component of the old version is destroyed.
结合第一方面, 在第一方面的第一种实现方式中, 所述在所述检测引擎 中运行所述新版本的第一功能组件之后, 还包括:  With reference to the first aspect, in a first implementation manner of the first aspect, after the running the new version of the first functional component in the detection engine, the method further includes:
接收报文, 根据所述报文的报文头确定所述报文属于所述第一会话的报 文, 或者属于所述第二会话的报文;  Receiving a packet, and determining, according to the packet header of the packet, the packet that belongs to the first session or the packet that belongs to the second session;
若属于所述第一会话的报文, 则应用所述新版本的第一功能组件进行检 测; 若属于所述第二会话的报文, 则应用所述旧版本的第一功能组件进行检 测。  If the packet belongs to the first session, the first functional component of the new version is used for detection; if the packet belongs to the second session, the first functional component of the old version is used for detection.
结合第一方面的第一种实现方式, 在第一方面的第二种实现方式中, 所 述若存在至少一个第二会话, 则使用旧版本的第一功能组件对所述第二会话 的后续报文进行检测, 直到所有所述第二会话老化为止之前, 还包括:  With reference to the first implementation manner of the first aspect, in a second implementation manner of the first aspect, if there is at least one second session, using the first functional component of the old version to follow the second session The message is detected until all the second sessions are aged, and includes:
建立并存储旧版本的第一功能组件、 所述第二会话以及所述第二会话的 会话状态三者的对应关系, 以供对所有所述第二会话是否老化进行判断。  A correspondence between the first functional component of the old version, the second session, and the session state of the second session is established and stored for determining whether all of the second sessions are aged.
结合第一方面的第二种实现方式, 在第一方面的第三种实现方式中, 所 述接收报文之后, 还包括:  With the second implementation of the first aspect, in a third implementation manner of the first aspect, after the receiving the message, the method further includes:
当所述 文的标志位为结束连线 FIN或连线复位 RST时, 如果所述 4艮文 所属会话为所述第二会话, 则在所述对应关系中将所述 ·艮文所属会话的会话 状态设置为老化状态。 When the flag of the text is the end connection FIN or the connection reset RST, if the 4 艮 If the session is the second session, the session state of the session to which the message belongs is set to an aging state in the corresponding relationship.
结合第一方面、 或上述第一方面的任意一种实现方式, 在第一方面的第 四种实现方式中, 还包括:  In combination with the first aspect, or any one of the foregoing first implementation manners, in the fourth implementation manner of the first aspect, the method further includes:
若所述软件升级数据包中还包括至少一个第二功能组件的升级数据包, 则生成新版本的第二功能组件, 并在所述检测引擎中运行所述新版本的第二 功能组件。  And if the software upgrade data package further includes an upgrade data package of the at least one second function component, generating a new version of the second function component, and running the new version of the second function component in the detection engine.
第二方面, 本发明实施例提供一种防火墙设备中检测引擎的升级装置, 包括:  In a second aspect, an embodiment of the present invention provides an apparatus for upgrading a detection engine in a firewall device, including:
安装模块, 用于根据所述检测引擎的软件升级数据包生成一个新版本的 第一功能组件, 并在所述检测引擎中运行所述新版本的第一功能组件;  a installing module, configured to generate a new version of the first functional component according to the software upgrade data package of the detection engine, and run the new version of the first functional component in the detection engine;
检测模块, 用于使用所述安装模块生成并运行的所述新版本的第一功能 组件对第一会话进行检测, 所述第一会话是指运行所述新版本的第一功能组 件后与所述防火墙设备新建立的会话;  a detecting module, configured to detect, by using the new functional component of the new version generated and run by the installation module, the first session refers to running the first functional component of the new version a newly established session of the firewall device;
所述检测模块, 还用于若存在至少一个第二会话 , 则使用旧版本的第一 功能组件对所述第二会话的后续报文进行检测, 直到所有所述第二会话老化 为止, 所述第二会话是指运行所述新版本的第一功能组件时已与所述防火墙 设备建立的会话;  The detecting module is further configured to: if there is at least one second session, use a first functional component of the old version to detect subsequent packets of the second session, until all the second sessions are aged, The second session refers to a session that has been established with the firewall device when the first functional component of the new version is run;
所述销毁模块, 用于根据所述检测模块的触发, 在所有所述第二会话老 化后, 销毁所述旧版本的第一功能组件。  And the destroying module is configured to, according to the triggering of the detecting module, destroy the first functional component of the old version after all the second sessions are aging.
结合第二方面, 在第二方面的第一种实现方式中, 所述装置还包括: 接收模块, 用于接收报文, 根据所述报文的报文头确定所述报文属于所 述第一会话的报文, 或者属于所述第二会话的报文;  With reference to the second aspect, in a first implementation manner of the second aspect, the device further includes: a receiving module, configured to receive a packet, and determine, according to a packet header of the packet, that the packet belongs to the first a message of one session, or a message belonging to the second session;
所述检测模块, 还用于若属于所述第一会话的报文, 则应用所述新版本 的第一功能组件进行检测; 若属于所述第二会话的报文, 则应用所述旧版本 的第一功能组件进行检测。  The detecting module is further configured to: if the packet belongs to the first session, apply the first functional component of the new version for detection; if the packet belongs to the second session, apply the old version The first functional component is tested.
结合第二方面的第一种实现方式, 在第二方面的第二种实现方式中, 所 述装置还包括:  With reference to the first implementation of the second aspect, in a second implementation manner of the second aspect, the device further includes:
存储模块, 用于建立并存储旧版本的第一功能组件、 所述第二会话以及 所述第二会话的会话状态三者的对应关系, 以供所述检测模块对所有所述第 二会话是否老化进行判断。 a storage module, configured to establish and store a correspondence between the first functional component of the old version, the second session, and the session state of the second session, for the detecting module to Whether the second session is aging or not.
结合第二方面的第二种实现方式, 在第二方面的第三种实现方式中, 所 述存储模块还用于:  In conjunction with the second implementation of the second aspect, in a third implementation manner of the second aspect, the storage module is further configured to:
当所述接收模块接收的所述报文的标志位为 FIN或 RST时, 如果所述报 文所属会话为所述第二会话, 则在所述对应关系中将所述 "¾文所属会话的会 话状态设置为老化状态。  If the flag of the message received by the receiving module is FIN or RST, if the session to which the message belongs is the second session, the session of the session belongs to the "3⁄4 text" in the corresponding relationship. The session state is set to the aging state.
结合第二方面、 或上述第二方面的任意一种实现方式, 在第二方面的第 四种实现方式中, 所述安装模块还用于:  In combination with the second aspect, or any one of the foregoing second aspects, in the fourth implementation manner of the second aspect, the installing module is further configured to:
若所述软件升级数据包中还包括至少一个第二功能组件的升级数据包, 则生成新版本的第二功能组件, 并在所述检测引擎中运行所述新版本的第二 功能组件。  And if the software upgrade data package further includes an upgrade data package of the at least one second function component, generating a new version of the second function component, and running the new version of the second function component in the detection engine.
本发明实施例防火墙设备中检测引擎的升级方法及装置, 通过根据检测 引擎的软件升级数据包生成一个新版本的第一功能组件 , 并在所述检测引擎 中运行所述新版本的第一功能组件, 用以使用所述新版本的第一功能组件对 第一会话进行检测, 所述第一会话是指运行所述新版本的第一功能组件后与 所述防火墙设备新建立的会话; 若存在至少一个第二会话 , 则使用旧版本的 第一功能组件对所述第二会话的后续报文进行检测, 直到所有所述第二会话 老化为止, 所述第二会话是指运行所述新版本的第一功能组件时已与所述防 火墙设备建立的会话; 在所有所述第二会话老化后, 销毁所述旧版本的第一 功能组件, 由于只是对需要升级的相应功能组件进行升级而不是对整个检测 引擎进行升级, 且在所有的第二会话老化之后将对所述第二会话进行检测的 旧版本的功能组件销毁, 与现有技术更新整个检测引擎的方案相比, 资源占 用较小, 升级效率高, 实现了在下一代防火墙上检测引擎的各个功能组件的 平滑升级且已有的业务流量的安全检测不受影响。 附图说明 为了更清楚地说明本发明实施例或现有技术中的技术方案, 下面将对实 施例或现有技术描述中所需要使用的附图作一简单地介绍, 显而易见地, 下 面描述中的附图是本发明的一些实施例, 对于本领域普通技术人员来讲, 在 不付出创造性劳动性的前提下, 还可以根据这些附图获得其他的附图。 图 1为本发明防火墙设备中检测引擎的升级方法实施例一的流程图; 图 2 为本发明防火墙设备中检测引擎的升级方法实施例一的应用场景示 意图; The method and device for upgrading a detection engine in a firewall device according to the embodiment of the present invention, by generating a new version of the first functional component according to the software upgrade data packet of the detection engine, and running the first function of the new version in the detection engine a component, configured to detect, by using the new functional version of the first functional component, the first session is a session newly established with the firewall device after running the new functional component of the new version; If there is at least one second session, the subsequent message of the second session is detected by using the first functional component of the old version until all the second sessions are aged, and the second session refers to running the new session. The first functional component of the version has been established with the firewall device; after all the second sessions are aged, the first functional component of the old version is destroyed, because only the corresponding functional component that needs to be upgraded is upgraded. Not the entire detection engine is upgraded, and the old session will be detected after all the second sessions are aged The functional components are destroyed, and the resource consumption is small and the upgrade efficiency is high compared with the prior art update of the entire detection engine. The smooth upgrade of the various functional components of the detection engine on the next-generation firewall and the existing service traffic are realized. The security check is not affected. BRIEF DESCRIPTION OF THE DRAWINGS In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, a brief description of the drawings used in the embodiments or the prior art description will be briefly described below. The drawings are some embodiments of the present invention, and those skilled in the art can obtain other drawings based on these drawings without any inventive labor. 1 is a flowchart of Embodiment 1 of a method for upgrading a detection engine in a firewall device according to the present invention; FIG. 2 is a schematic diagram of an application scenario of Embodiment 1 of a method for upgrading a detection engine in a firewall device according to the present invention;
图 3 为本发明防火墙设备中检测引擎的升级方法实施例一的功能组件升 级状态示意图一;  3 is a schematic diagram 1 of a functional component upgrade state in Embodiment 1 of a method for upgrading a detection engine in a firewall device according to the present invention;
图 4 为本发明防火墙设备中检测引擎的升级方法实施例一的功能组件升 级状态示意图二;  FIG. 4 is a second schematic diagram of a functional component upgrade state according to Embodiment 1 of a method for upgrading a detection engine in a firewall device according to the present invention;
图 5 为本发明防火墙设备中检测引擎的升级方法实施例一的功能组件升 级状态示意图三;  FIG. 5 is a third schematic diagram of a functional component upgrade state according to Embodiment 1 of a method for upgrading a detection engine in a firewall device according to the present invention;
图 6为本发明防火墙设备中检测引擎的升级装置实施例一的结构示意图; 图 7为本发明防火墙设备中检测引擎的升级装置实施例二的结构示意图; 图 8为本发明检测引擎升级设备实施例一的结构示意图。 具体实施方式 为使本发明实施例的目的、 技术方案和优点更加清楚, 下面将结合本发 明实施例中的附图, 对本发明实施例中的技术方案进行清楚、 完整地描述, 显然, 所描述的实施例是本发明一部分实施例, 而不是全部的实施例。 基于 本发明中的实施例, 本领域普通技术人员在没有作出创造性劳动前提下所获 得的所有其他实施例, 都属于本发明保护的范围。  FIG. 6 is a schematic structural diagram of Embodiment 1 of a device for upgrading a detection engine in a firewall device according to the present invention; FIG. 7 is a schematic structural diagram of Embodiment 2 of a device for upgrading a detection engine in a firewall device according to the present invention; A schematic diagram of the structure of the first example. The technical solutions in the embodiments of the present invention are clearly and completely described in the following with reference to the accompanying drawings in the embodiments of the present invention. The embodiments are a part of the embodiments of the invention, and not all of the embodiments. All other embodiments obtained by those skilled in the art based on the embodiments of the present invention without creative efforts are within the scope of the present invention.
图 1为本发明防火墙设备中检测引擎的升级方法实施例一的流程图,图 2 为本发明防火墙设备中检测引擎的升级方法实施例一的应用场景示意图,图 3 为本发明防火墙设备中检测引擎的升级方法实施例一的功能组件升级状态示 意图一, 图 4为本发明防火墙设备中检测引擎的升级方法实施例一的功能组 件升级状态示意图二, 图 5 为本发明防火墙设备中检测引擎的升级方法实施 例一的功能组件升级状态示意图三。 本实施例的执行主体为防火墙设备中检 测引擎的升级装置, 该装置可以通过软件和 /或硬件实现。 本实施例的方案应 用在网络接入设备或者网络交换设备中,例如网关设备、防火墙、以及 NGFW 中。  1 is a flowchart of Embodiment 1 of a method for upgrading a detection engine in a firewall device according to the present invention. FIG. 2 is a schematic diagram of an application scenario of a method for upgrading a detection engine in a firewall device according to the present invention, and FIG. 3 is a schematic diagram of a firewall device in the present invention. FIG. 4 is a schematic diagram of a functional component upgrade state of a first embodiment of a method for upgrading a detection engine in a firewall device according to the present invention. FIG. FIG. 3 is a schematic diagram of the upgrade status of the functional component in the first embodiment of the upgrade method. The execution body of this embodiment is an upgrade device of the detection engine in the firewall device, and the device can be implemented by software and/or hardware. The solution of this embodiment is applied to a network access device or a network switching device, such as a gateway device, a firewall, and an NGFW.
如图 1所示, 本实施例的方法可以包括:  As shown in FIG. 1, the method in this embodiment may include:
步骤 101、根据检测引擎的软件升级数据包生成一个新版本的第一功能组 件, 并在检测引擎中运行新版本的第一功能组件, 用以使用新版本的第一功 能组件对第一会话进行检测, 第一会话是指运行新版本的第一功能组件后与 防火墙设备新建立的会话。 Step 101: Generate a new version of the first functional group according to the software upgrade data packet of the detection engine. And running a new version of the first functional component in the detection engine to detect the first session using the first functional component of the new version, the first session refers to running the new functional version of the first functional component with the firewall device Newly established session.
具体地, 如图 2所示, 本实施例的防火墙设备中检测引擎的升级装置例 如可以设置在 NGFW中, NGFW主要部署在互联网出口、 办公网出口, 对服 务器以及办公网的用户主机进行防护。 NGFW主要以应用识别为基础, 对于 网络中的应用层流量进行安全检测, 如 IPS检测、 AV检测、 URL过滤等安全 防护功能。 其中在网络中部署有升级服务器, 若升级服务器或 NGFW中有检 测引擎中新版本的功能组件如 IPS 功能组件的软件升级数据包, 且检测引擎 的升级装置检测获知到检测引擎中一功能组件如 IPS功能组件或 AV功能组件 需要进行升级, 则根据检测引擎的软件升级数据包生成一个新版本的第一功 能组件 , 并在检测引擎中运行新版本的第一功能组件, 用以使用新版本的第 一功能组件对第一会话进行检测, 第一会话是指运行新版本的第一功能组件 后与防火墙设备新建立的会话, 如果新版本的第一功能组件如 AV功能组件, 对应的还有新的特征库则同时加载更新, 特征库例如包括多种病毒的信息。  Specifically, as shown in FIG. 2, the upgrade device of the detection engine in the firewall device of the embodiment may be set in the NGFW, and the NGFW is mainly deployed on the Internet egress and the office network egress to protect the user host of the server and the office network. Based on application identification, NGFW performs security detection on application layer traffic in the network, such as IPS detection, AV detection, and URL filtering. An upgrade server is deployed in the network. If the upgrade server or the NGFW has a software upgrade packet of a new version of the function component of the detection engine, such as an IPS function component, and the detection device of the detection engine detects a functional component in the detection engine, such as If the IPS function component or the AV function component needs to be upgraded, a new version of the first functional component is generated according to the detection engine software upgrade data package, and a new version of the first functional component is run in the detection engine to use the new version. The first functional component detects the first session, and the first session refers to a newly established session with the firewall device after running the first functional component of the new version, if the first functional component of the new version, such as the AV functional component, corresponds to The new signature library also loads updates, such as information including multiple viruses.
本实施例中对功能组件升级的检测可以定时触发检测如升级服务器与 NGFW通信实时获取 NGFW中检测引擎的各功能组件的版本状态,与升级服 务器中的版本状态进行比较获知是否进行升级, 也可以手动触发检测如在升 级服务器与 NGFW 没有通信的情况下, 可以手动将软件升级数据包下载到 NGFW中, 由 NGFW中的升级组件判断是否需要升级。 如多个功能组件需要 同时升级, 则可以对每个功能组件分别同时升级也可以按顺序升级, 即一个 功能组件升级完成后再升级下一个功能组件。  In this embodiment, the detection of the upgrade of the function component can be triggered periodically. For example, the upgrade server and the NGFW communication can obtain the version status of each function component of the detection engine in the NGFW in real time, and compare with the version status in the upgrade server to learn whether to upgrade, or If the upgrade server does not communicate with the NGFW, you can manually download the software upgrade package to the NGFW. The upgrade component in the NGFW determines whether the upgrade is required. If multiple functional components need to be upgraded at the same time, each functional component can be upgraded simultaneously or sequentially, that is, after one functional component is upgraded, the next functional component is upgraded.
步骤 102、 若存在至少一个第二会话 , 则使用旧版本的第一功能组件对 第二会话的后续报文进行检测, 直到所有第二会话老化为止, 第二会话是指 运行新版本的第一功能组件时已与防火墙设备建立的会话。  Step 102: If there is at least one second session, use the first functional component of the old version to detect subsequent messages of the second session until all the second sessions are aged, and the second session refers to running the first version of the new version. A functional component has been established with a firewall device.
具体地, 如图 3 所示, 若第二会话为运行新版本的第一功能组件时已与 防火墙设备建立的会话, 如会话 1 , 则使用旧版本的第一功能组件, 如 IPS功 能组件版本 1 对第二会话的后续报文进行安全检测, 第二会话的后续报文是 指运行所述新版本的第一功能组件后, 接收到的属于所述第二会话的报文, 由于 AV功能组件没有进行升级,会话 1的报文由 IPS功能组件版本 1进行安 全检测之后, 发送到 AV功能组件版本 1进行安全检测; 若第一会话为运行 新版本的第一功能组件后与防火墙设备新建立的会话, 如会话 2, 则使用新版 本的第一功能组件如 IPS功能组件版本 2对第一会话进行安全检测, 如图 4 所示, 若在发送到 AV功能组件之前, AV功能组件进行升级生成新的版本 2 并且已经在检测引擎中运行, 则会话 2 的报文将使用新版本的功能组件 AV 功能组件版本 2进行安全检测, 如图 3所示, 若 AV功能组件没有进行升级 则继续使用 AV功能组件版本 1进行安全检测。 Specifically, as shown in FIG. 3, if the second session is a session established with the firewall device when running the first functional component of the new version, such as session 1, the first functional component of the old version, such as the IPS functional component version, is used. The security detection is performed on the subsequent packets of the second session, and the subsequent packets in the second session are the packets that belong to the second session after the first functional component of the new version is run, due to the AV function. The component is not upgraded. The session 1 packet is protected by the IPS function component version 1. After full detection, it is sent to the AV function component version 1 for security detection; if the first session is a newly established session with the firewall device after running the first version of the new functional component, such as session 2, the first functional component of the new version is used. For example, the IPS function component version 2 performs security detection on the first session. As shown in FIG. 4, if the AV function component is upgraded to generate a new version 2 and is already running in the detection engine before being sent to the AV function component, the session 2 The message will be checked using the new version of the function component AV function component version 2, as shown in Figure 3. If the AV function component is not upgraded, continue to use the AV function component version 1 for security detection.
本实施例中, 如图 3 所示, 进行会话流分发后会进行应用识别, 即对收 到的报文进行应用识别查找相应的功能组件进行安全检测。 附图 3 只是以功 能组件为 IPS功能组件和 AV功能组件为例进行说明,实际应用中可以包含更 多的功能组件, 例如 URL过滤功能组件、 DLP功能组件等。 进行安全检测之 后, 根据安全检测的结果进行相应的动作, 如阻断、 告警、 日志、 放行等。  In this embodiment, as shown in FIG. 3, after session flow distribution is performed, application identification is performed, that is, application identification is performed on the received message to find a corresponding functional component for security detection. Figure 3 shows the IPS function component and the AV function component as examples. The actual application can include more functional components, such as URL filtering function components and DLP function components. After the security check is performed, the corresponding actions are performed according to the result of the security check, such as blocking, alarm, log, release, and the like.
步骤 103、 在所有第二会话老化后, 销毁旧版本的第一功能组件。  Step 103: After all the second sessions are aged, destroy the first functional component of the old version.
具体地, 如图 5 所示, 在检测引擎中运行新版本的第一功能组件之前已 与防火墙设备建立的会话如会话 1全部老化后, 则销毁会话 1使用的检测引 擎中旧版本的功能组件如 IPS功能组件版本 1 ,会话 2继续使用 IPS功能组件 版本 2及 AV 功能组件版本 1 进行安全检测, 老化是指一个传输控制协议 ( Transmission Control Protocol , 简称 TCP )连接的双方都已经发送结束连 线 FIN或者连线复位 RST报文。 若后续检测引擎的升级装置检测获知到检 测引擎中 IPS 功能组件需要再次进行升级处理, 则根据获取的软件升级数据 包在检测引擎中生成一新版本的第一功能组件如 IPS功能组件版本 3 ,并运行 此功能组件,此时新建立的会话 3使用新的 IPS功能组件版本 3及 AV功能组 件版本 2进行安全检测, 当会话 2老化之后 (且没有其他会话使用 IPS功能 组件版本 2及 AV功能组件版本 1进行检测 ) 则销毁会话 2使用的检测引擎 中 IPS功能组件版本 2及 AV功能组件版本 1。  Specifically, as shown in FIG. 5, after the session that has been established with the firewall device before the running of the new version of the first functional component in the detection engine is aging, the functional component of the old version of the detection engine used by the session 1 is destroyed. For example, the IPS function component version 1 and session 2 continue to use the IPS function component version 2 and the AV function component version 1 for security detection. The aging refers to a transmission control protocol (TCP) connection. FIN or connection reset RST message. If the upgrade device of the subsequent detection engine detects that the IPS function component in the detection engine needs to be upgraded again, a new version of the first functional component, such as the IPS function component version 3, is generated in the detection engine according to the obtained software upgrade data packet. And run this function component. At this time, the newly established session 3 uses the new IPS function component version 3 and the AV function component version 2 for security detection. When session 2 ages (and no other session uses IPS function component version 2 and AV function) The component version 1 is detected.) The IPS function component version 2 and the AV function component version 1 in the detection engine used by the session 2 are destroyed.
本实施例上述第一功能组件、 第二功能组件、 第一会话和第二会话中的 "第一"、 "第二 "并不是表示顺序关系, 而是为了区别不同的功能组件和会话, 以下文件中提到的第一、 第二等也是为了区别不同的组件、 版本、 会话等。  The "first" and "second" in the first functional component, the second functional component, the first session, and the second session in this embodiment are not meant to represent a sequential relationship, but to distinguish different functional components and sessions, The first, second, etc. mentioned in the file are also used to distinguish between different components, versions, sessions, and so on.
本实施例, 通过根据检测引擎的软件升级数据包生成一个新版本的第一 功能组件 , 并在所述检测引擎中运行所述新版本的第一功能组件, 用以使用 所述新版本的第一功能组件对第一会话进行检测, 所述第一会话是指运行所 述新版本的第一功能组件后与所述防火墙设备新建立的会话; 若存在至少一 个第二会话 , 则使用旧版本的第一功能组件对所述第二会话的后续报文进行 检测, 直到所有所述第二会话老化为止, 所述第二会话是指运行所述新版本 的第一功能组件时已与所述防火墙设备建立的会话; 在所有所述第二会话老 化后, 销毁所述旧版本的第一功能组件, 由于只是对需要升级的相应功能组 件进行升级而不是对整个检测引擎进行升级, 且在所有的第二会话老化之后 将对所述第二会话进行检测的旧版本的功能组件销毁, 资源占用较小, 升级 效率高, 实现了在下一代防火墙上检测引擎的各个功能组件的平滑升级且已 有的业务流量的安全检测不受影响。 In this embodiment, a new version of the first functional component is generated according to the software upgrade data packet of the detection engine, and the new functional version of the first functional component is used in the detection engine for use. The first functional component of the new version detects the first session, where the first session refers to a session newly established with the firewall device after running the new functional component of the new version; if there is at least one second In the session, the first function component of the old version is used to detect subsequent messages of the second session until all the second sessions are aged, and the second session refers to running the first function of the new version. The component has been established with the firewall device; after all the second sessions are aged, the first functional component of the old version is destroyed, because only the corresponding functional component that needs to be upgraded is upgraded instead of the entire detection engine. The upgrade is performed, and after all the second sessions are aged, the functional components of the old version that detect the second session are destroyed, the resource occupation is small, and the upgrade efficiency is high, and the functions of the detection engine on the next-generation firewall are implemented. The smooth upgrade of components and the security detection of existing traffic are not affected.
在本发明防火墙设备中检测引擎的升级方法实施例二中, 在图 1 所示方 法实施例的基石出上, 进一步地, 所述方法还可以包括:  In the second embodiment of the method for upgrading the detection engine in the firewall device of the present invention, in the foundation of the method embodiment shown in FIG. 1, the method may further include:
接收报文, 根据报文的报文头确定报文属于第一会话的报文, 或者属于 第二会话的报文;  Receiving a packet, and determining, according to the packet header of the packet, the packet that belongs to the first session or the packet that belongs to the second session;
若第一会话的报文, 则应用新版本的第一功能组件进行检测; 若属于第 二会话的报文, 则应用旧版本的第一功能组件进行检测。  If the packet of the first session is used, the first functional component of the new version is applied for detection; if the packet belongs to the second session, the first functional component of the old version is used for detection.
具体地, 如图 3所示, NGFW接收报文, 根据报文的报文头确定报文属 于第一会话如会话 2的报文, 或者属于第二会话如会话 1 的报文; 若第一会 话如会话 2的报文, 则应用新版本的第一功能组件如 IPS功能组件版本 2进 行检, 若属于第二会话如会话 1的报文, 则应用旧版本的第一功能组件如 IPS 功能组件版本 1进行检测。  Specifically, as shown in FIG. 3, the NGFW receives the packet, and determines, according to the packet header of the packet, the packet that belongs to the first session, such as session 2, or the packet that belongs to the second session, such as session 1. If the session is in the session 2, the first function component of the new version, such as the IPS function component version 2, is applied. If the second session is the session 1, the first functional component of the old version, such as the IPS function, is applied. Component version 1 is tested.
进一步地, 所述若存在至少一个第二会话, 则使用旧版本的第一功能组 件对所述第二会话的后续报文进行检测, 直到所有所述第二会话老化为止之 前, 本实施例的方法还包括:  Further, if there is at least one second session, the subsequent function of the second session is detected by using the first functional component of the old version, until all the second sessions are aged, before the embodiment is The method also includes:
建立并存储旧版本的第一功能组件、 第二会话以及第二会话的会话状态 三者的对应关系, 以供对所有所述第二会话是否老化进行判断;  Establishing and storing a correspondence between the first functional component of the old version, the second session, and the session state of the second session, so as to determine whether all of the second sessions are aging;
可选地, 还可以建立并存储新版本的第一功能组件、 第一会话以及第一 会话的会话状态三者的对应关系, 以便于所述第一功能组件再次升级时, 对 所有所述第一会话是否老化进行判断。  Optionally, the correspondence between the first version of the first functional component, the first session, and the session state of the first session may be established and stored, so that when the first functional component is upgraded again, Whether a session is aging or not.
具体地, 如图 3 所示, 在防火墙设备中检测引擎的升级装置中例如可以 建立并存储: IPS功能组件版本 1及 AV功能组件版本 1、 会话 1 以及会话 1 的会话状态的对应关系, IPS功能组件版本 2及 AV功能组件版本 1、 会话 2 以及会话 2的会话状态的对应关系, 如图 4所示, 会话 2与 IPS功能组件版 本 2及 AV功能组件版本 2的对应关系, 如表 1所示, 以供对所有会话是否 老化进行判断, 便于判断各个功能组件是否进行销毁以及会话的后续报文使 用哪个版本的功能组件进行安全检测, 如表 1 所示, 第一列表示对应关系编 号, 第二列表示功能组件版本, 第三列表示会话, 第四列表示会话状态。 Specifically, as shown in FIG. 3, for example, in the upgrade device of the detection engine in the firewall device, for example, Establish and store: IPS function component version 1 and AV function component version 1, session 1 and session 1 session state correspondence, IPS function component version 2 and AV function component version 1, session 2 and session 2 session state correspondence Relationship, as shown in Figure 4, the correspondence between Session 2 and IPS function component version 2 and AV function component version 2, as shown in Table 1, for judging whether all sessions are aging, it is convenient to judge whether each functional component is destroyed. And which version of the functional component of the subsequent message of the session is used for security detection, as shown in Table 1, the first column represents the correspondence number, the second column represents the functional component version, the third column represents the session, and the fourth column represents the session state. .
表 1  Table 1
Figure imgf000010_0001
Figure imgf000010_0001
进一步地, 所述接收报文之后, 还可以包括:  Further, after receiving the packet, the method may further include:
当 ·艮文的标志位为结束连线 FIN或连线复位 RST时, 如果所述>¾文所述 会话为所述第二会话, 则在所述对应关系中将所述 >¾文所属会话的会话状态 设置为老化状态。  When the flag of the message is the end connection FIN or the connection reset RST, if the session is the second session, the session belongs to the >3⁄4 text in the corresponding relationship. The session state is set to the aging state.
可选地, 如果所述 4艮文所述会话为所述第一会话, 则在所述对应关系中 将所述报文所属会话的会话状态设置为老化状态。  Optionally, if the session is the first session, the session state of the session to which the message belongs is set to an aging state in the corresponding relationship.
具体地, 如表 1所示, 当发送的业务报文的标志位为结束连线 FIN或连 线复位 RST时, 且报文所属的会话为会话 1 , 将会话 1所对应的对应关系 1、 2中的会话状态设置为老化状态,此时如果没有其他的会话在使用 IPS功能组 件版本 1进行检测, 则由于使用 IPS功能组件版本 1进行检测的所有会话都 已老化, 因此将 IPS功能组件版本 1进行销毁, 后续新建立的会话的报文, 都使用 IPS功能组件版本 2和 AV功能组件版本 1进行检测。 进一步地, 所述方法还可以还包括: Specifically, as shown in Table 1, when the flag of the sent service message is the end connection FIN or the connection reset RST, and the session to which the message belongs is session 1, the corresponding relationship corresponding to the session 1 is The session state in 2 is set to the aging state. If no other sessions are detected using the IPS function component version 1, all the sessions detected by using the IPS function component version 1 are aged, so the IPS function component version is used. 1 Destroy, the packets of the newly established session are detected by the IPS function component version 2 and the AV function component version 1. Further, the method may further include:
若软件升级数据包中还包括至少一个第二功能组件的升级数据包, 则生 成新版本的第二功能组件, 并在检测引擎中运行新版本的第二功能组件。  If the software upgrade package further includes an upgrade package of at least one second functional component, a new version of the second functional component is generated, and a new version of the second functional component is run in the detection engine.
具体地, 若软件升级数据包中还包括至少一个第二功能组件的升级数据 包,如同时包括 IPS功能组件及 AV功能组件的升级数据包,则生成新版本的 第一功能组件如 IPS功能组件版本 2以及生成新版本的第二功能组件如 AV功 能组件版本 2, 并在检测引擎中运行新版本的第二功能组件; 若软件升级数据 包中还包括两个第二功能组件的升级数据包, 如 AV功能组件以及 DLP功能 组件的升级数据包,则生成两个新版本的第二功能组件如 AV功能组件版本 2 以及 DLP功能组件版本 2。  Specifically, if the software upgrade data package further includes an upgrade data package of the at least one second function component, such as an upgrade data package including the IPS function component and the AV function component, generating a new version of the first function component, such as an IPS function component. Version 2 and generating a new version of the second functional component such as the AV function component version 2, and running the new version of the second functional component in the detection engine; if the software upgrade package also includes the upgrade package of the two second functional components For example, the AV function component and the upgrade package of the DLP function component generate two new versions of the second function component such as the AV function component version 2 and the DLP function component version 2.
本实施例, 通过建立并存储新版本的第一功能组件、 第一会话以及第一 会话的会话状态三者的对应关系, 以供对所有所述第一会话是否老化进行判 断, 建立并存储旧版本的第一功能组件、 第二会话以及第二会话的会话状态 三者的对应关系, 以供对所有所述第二会话是否老化进行判断; 接收报文, 根据报文的报文头确定报文属于第一会话的报文, 或者属于第二会话的报文, 若第一会话的报文, 则应用新版本的第一功能组件进行检测, 若属于第二会 话的报文, 则应用旧版本的第一功能组件进行检测, 当报文的标志位为结束 连线 FIN或连线复位 RST时, 将报文所属会话的会话状态设置为老化状态, 若软件升级数据包中还包括至少一个第二功能组件的升级数据包, 则生成新 版本的第二功能组件, 并在检测引擎中运行新版本的第二功能组件, 资源占 用较小, 升级效率高, 实现了在下一代防火墙上检测引擎的各个功能组件的 平滑升级且已有的业务流量的安全检测不受影响。  In this embodiment, the correspondence between the first version of the first functional component, the first session, and the session state of the first session is established and stored, so as to determine whether all the first sessions are aged, and establish and store the old Corresponding relationship between the first functional component of the version, the second session, and the session state of the second session, for judging whether all of the second sessions are aging; receiving the packet, determining the packet according to the packet header of the packet If the packet belongs to the first session, the packet belongs to the first session, and if the packet belongs to the second session, the first function component of the new session is used for detecting, and if the packet belongs to the second session, the old application is applied. The first functional component of the version is detected. When the flag of the message is the end connection FIN or the connection reset RST, the session state of the session to which the message belongs is set to an aging state, and at least one of the software upgrade data packets is included. The upgrade package of the second functional component generates a new version of the second functional component, and runs a new version of the second functional component in the detection engine. Source occupy a smaller, high-efficiency upgrade, to achieve a smooth upgrade safety testing and has not affected the various functional components of the detection engine on a next-generation firewall traffic flow.
图 6为本发明防火墙设备中检测引擎的升级装置实施例一的结构示意图, 如图 6所示, 本实施例的装置 50可以包括: 安装模块 501、 检测模块 502和 销毁模块 503 , 其中, 安装模块 501用于根据所述检测引擎的软件升级数据包 生成一个新版本的第一功能组件, 并在所述检测引擎中运行所述新版本的第 一功能组件; 检测模块 502用于使用所述安装模块 501生成并运行的所述新 版本的第一功能组件对第一会话进行检测, 所述第一会话是指运行所述新版 本的第一功能组件后与所述防火墙设备新建立的会话; 所述检测模块 502, 还 用于若存在至少一个第二会话 , 则使用旧版本的第一功能组件对所述第二会 话的后续报文进行检测, 直到所有所述第二会话老化为止, 所述第二会话是 指运行所述新版本的第一功能组件时已与所述防火墙设备建立的会话; 销毁 模块 503用于根据所述检测模块 502的触发, 在所有所述第二会话老化后, 销毁所述旧版本的第一功能组件。 FIG. 6 is a schematic structural diagram of Embodiment 1 of an apparatus for upgrading a detection engine in a firewall device according to the present invention. As shown in FIG. 6, the apparatus 50 of this embodiment may include: an installation module 501, a detection module 502, and a destruction module 503, where The module 501 is configured to generate a new version of the first functional component according to the software upgrade data package of the detection engine, and run the new version of the first functional component in the detection engine; the detection module 502 is configured to use the The first functional component of the new version generated and executed by the installation module 501 detects the first session, where the first session refers to a newly established session with the firewall device after running the new functional component of the new version. The detecting module 502 is further configured to: if there is at least one second session, use the first functional component of the old version to the second session The subsequent message of the voice is detected until all the second sessions are aged, and the second session refers to a session that has been established with the firewall device when the first functional component of the new version is run; According to the triggering of the detecting module 502, after all the second sessions are aged, the first functional component of the old version is destroyed.
本实施例的装置, 可以用于执行图 1 所示方法实施例的技术方案, 其实 现原理和技术效果类似, 此处不再贅述。  The device in this embodiment can be used to implement the technical solution of the method embodiment shown in FIG. 1. The principle and the technical effect are similar, and details are not described herein again.
图 7为本发明防火墙设备中检测引擎的升级装置实施例二的结构示意图, 如图 7所示, 本实施例的装置 50在图 5所示装置结构的基础上, 进一步地, 还可以包括: 接收模块 504, 该接收模块 504用于接收报文, 根据所述报文的 报文头确定所述报文属于所述第一会话的报文, 或者属于所述第二会话的报 文; 所述检测模块 502, 还用于若属于所述第一会话的报文, 则应用所述新版 本的第一功能组件进行检测; 若属于所述第二会话的报文, 则应用所述旧版 本的第一功能组件进行检测。  FIG. 7 is a schematic structural diagram of Embodiment 2 of a device for upgrading a detection engine in a firewall device according to the present invention. As shown in FIG. 7, the device 50 of the present embodiment may further include: The receiving module 504 is configured to receive a packet, and determine, according to the packet header of the packet, the packet that belongs to the first session or the packet that belongs to the second session. The detecting module 502 is further configured to: if the packet belongs to the first session, apply the first functional component of the new version for detection; if the packet belongs to the second session, apply the old version The first functional component is tested.
进一步地, 本实施例的装置, 还可以包括:  Further, the apparatus of this embodiment may further include:
存储模块 505, 该存储模块 505用于建立并存储旧版本的第一功能组件、 所述第二会话以及所述第二会话的会话状态三者的对应关系, 以供所述检测 模块对所有所述第二会话是否老化进行判断。  a storage module 505, configured to establish and store a correspondence between the first functional component of the old version, the second session, and the session state of the second session, for the detection module to Whether the second session is aging or not is judged.
可选地, 该存储模块 505还可以用于建立并存储旧版本的第一功能组件、 所述第一会话以及所述第一会话的会话状态三者的对应关系, 以供所述检测 模块对所有所述第一会话是否老化进行判断。  Optionally, the storage module 505 is further configured to establish and store a correspondence between the first functional component of the old version, the first session, and the session state of the first session, for the detection module to Whether all of the first sessions are aged or not is judged.
所述存储模块 505还用于:  The storage module 505 is further configured to:
当所述接收模块 504接收的所述报文的标志位为结束连线 FIN或连线复 位 RST时, 如果所述报文所属会话为所述第二会话, 则在所述存储模块 505 存储的所述对应关系中将所述报文所属会话的会话状态设置为老化状态。  When the flag of the message received by the receiving module 504 is the end connection FIN or the connection reset RST, if the session to which the message belongs is the second session, the storage module 505 stores In the corresponding relationship, the session state of the session to which the message belongs is set to an aging state.
可选地, 所述存储模块 505还用于:  Optionally, the storage module 505 is further configured to:
当所述接收模块 504接收的所述报文的标志位为结束连线 FIN或连线复 位 RST时, 如果所述报文所属会话为所述第一会话, 则在所述存储模块 505 存储的所述对应关系中将所述报文所属会话的会话状态设置为老化状态。  When the flag of the message received by the receiving module 504 is the end connection FIN or the connection reset RST, if the session to which the message belongs is the first session, the storage is stored in the storage module 505. In the corresponding relationship, the session state of the session to which the message belongs is set to an aging state.
可选地, 所述安装模块 501还用于:  Optionally, the installation module 501 is further configured to:
若所述软件升级数据包中还包括至少一个第二功能组件的升级数据包, 则生成新版本的第二功能组件, 并在所述检测引擎中运行所述新版本的第二 功能组件。 If the software upgrade data package further includes an upgrade data packet of at least one second functional component, A new version of the second functional component is then generated and the new version of the second functional component is run in the detection engine.
本实施例的装置, 可以用于执行方法实施例二的技术方案, 其实现原理 和技术效果类似, 此处不再贅述。  The device in this embodiment may be used to implement the technical solution in the second embodiment of the method, and the implementation principle and the technical effect are similar, and details are not described herein again.
图 8为本发明检测引擎的升级设备实施例一的结构示意图。 如图 8所示, 本实施例提供的检测引擎的升级设备 70包括总线 701、 接收器 702、 处理器 703和存储器 704。 其中, 总线 701用于连接接收器 702、 处理器 703和存储 器 704, 并传输信息; 接收器 702用于接收报文, 存储器 704存储执行指令, 当检测引擎的升级设备 70运行时, 处理器 703与存储器 704之间通信, 处理 器 703运行存储器 704中存储的代码, 执行如下操作:  FIG. 8 is a schematic structural diagram of Embodiment 1 of an upgrade device of a detection engine according to the present invention. As shown in FIG. 8, the upgrade device 70 of the detection engine provided in this embodiment includes a bus 701, a receiver 702, a processor 703, and a memory 704. The bus 701 is used to connect the receiver 702, the processor 703 and the memory 704, and to transmit information; the receiver 702 is configured to receive the message, and the memory 704 stores the execution instruction. When the upgrade device 70 of the detection engine is running, the processor 703 In communication with the memory 704, the processor 703 runs the code stored in the memory 704 and performs the following operations:
根据检测引擎的软件升级数据包生成一个新版本的第一功能组件, 并在 所述检测引擎中运行所述新版本的第一功能组件, 用以使用所述新版本的第 一功能组件对第一会话进行检测, 所述第一会话是指运行所述新版本的第一 功能组件后与所述防火墙设备新建立的会话;  Generating a new version of the first functional component according to the software upgrade data package of the detection engine, and running the new version of the first functional component in the detection engine to use the new version of the first functional component pair a session is detected, where the first session refers to a session newly established with the firewall device after running the new functional component of the new version;
若存在至少一个第二会话, 则使用旧版本的第一功能组件对所述第二会 话的后续报文进行检测, 直到所有所述第二会话老化为止, 所述第二会话是 指运行所述新版本的第一功能组件时已与所述防火墙设备建立的会话;  If there is at least one second session, the first function component of the old version is used to detect subsequent messages of the second session until all the second sessions are aged, and the second session refers to running the The session of the new version of the first functional component has been established with the firewall device;
在所有所述第二会话老化后, 销毁 所述旧版本的第一功能组件。  After all the second sessions are aged, the first functional component of the old version is destroyed.
优选地, 所述若存在至少一个第二会话, 则使用旧版本的第一功能组件 对所述第二会话的后续报文进行检测, 直到所有所述第二会话老化为止之前, 所述存储器 704还用于:  Preferably, if there is at least one second session, the subsequent function of the second session is detected by using the first functional component of the old version, until the storage of all the second sessions is before the memory 704 Also used for:
建立并存储旧版本的第一功能组件、 第二会话以及第二会话的会话状态 三者的对应关系, 以供对所有所述第二会话是否老化进行判断。  A correspondence between the first functional component of the old version, the second session, and the session state of the second session is established and stored for determining whether all of the second sessions are aged.
可选地, 所述存储器 704还用于建立并存储新版本的第一功能组件、 第 一会话以及第一会话的会话状态三者的对应关系, 以供对所有所述第一会话 是否老化进行判断。  Optionally, the memory 704 is further configured to establish and store a correspondence between the first version of the first functional component, the first session, and the session state of the first session, for performing aging on all of the first sessions. Judge.
可选地, 所述处理器 703还用于根据所述接收器 702所述报文的报文头 确定所述报文属于所述第一会话的报文, 或者属于所述第二会话的报文; 若属于所述第一会话的报文, 则应用所述新版本的第一功能组件进行检 测; 若属于所述第二会话的报文, 则应用所述旧版本的第一功能组件进行检 测。 Optionally, the processor 703 is further configured to determine, according to the packet header of the packet of the receiver 702, the packet that the packet belongs to the first session, or the packet that belongs to the second session. If the packet belongs to the first session, the first functional component of the new version is applied for detection; and if the packet belongs to the second session, the first functional component of the old version is applied. Check Measurement.
可选地, 所述处理器 703还用于当所述接收器 702接收的所述报文的标 志位为结束连线 FIN或连线复位 RST时, 如果所述报文所属会话为所述第二 会话, 则在所述对应关系中将所述报文所属会话的会话状态设置为老化状态。  Optionally, the processor 703 is further configured to: when the flag of the message received by the receiver 702 is an end connection FIN or a connection reset RST, if the message belongs to the session In the second session, the session state of the session to which the message belongs is set to an aging state in the corresponding relationship.
可选地, 所述处理器 703还用于:  Optionally, the processor 703 is further configured to:
当所述接收器 702接收的所述报文的标志位为结束连线 FIN或连线复位 RST 时, 如果所述 ·艮文所属会话为所述第一会话, 则在所述对应关系中将所 述报文所属会话的会话状态设置为老化状态。  When the flag of the message received by the receiver 702 is the end connection FIN or the connection reset RST, if the session to which the message belongs is the first session, in the corresponding relationship The session state of the session to which the packet belongs is set to an aging state.
可选地, 所述处理器 703还用于:  Optionally, the processor 703 is further configured to:
若所述软件升级数据包中还包括至少一个第二功能组件的升级数据包, 则生成新版本的第二功能组件, 并在所述检测引擎中运行所述新版本的第二 功能组件。  And if the software upgrade data package further includes an upgrade data package of the at least one second function component, generating a new version of the second function component, and running the new version of the second function component in the detection engine.
本实施例的设备, 可以用于执行方法实施例的技术方案, 其实现原理和 技术效果类似, 此处不再贅述。  The device in this embodiment may be used to implement the technical solution of the method embodiment, and the implementation principle and the technical effect are similar, and details are not described herein again.
在本发明所提供的几个实施例中, 应该理解到, 所揭露的装置和方法, 可以通过其它的方式实现。 例如, 以上所描述的装置实施例仅仅是示意性的, 例如, 所述单元的划分, 仅仅为一种逻辑功能划分, 实际实现时可以有另外 的划分方式, 例如多个单元或组件可以结合或者可以集成到另一个系统, 或 一些特征可以忽略, 或不执行。 另一点, 所显示或讨论的相互之间的耦合或 直接耦合或通信连接可以是通过一些接口, 装置或单元的间接耦合或通信连 接, 可以是电性, 机械或其它的形式。  In the several embodiments provided by the present invention, it should be understood that the disclosed apparatus and method may be implemented in other manners. For example, the device embodiments described above are merely illustrative. For example, the division of the unit is only a logical function division. In actual implementation, there may be another division manner, for example, multiple units or components may be combined or Can be integrated into another system, or some features can be ignored, or not executed. In addition, the mutual coupling or direct coupling or communication connection shown or discussed may be an indirect coupling or communication connection through some interface, device or unit, and may be electrical, mechanical or otherwise.
所述作为分离部件说明的单元可以是或者也可以不是物理上分开的, 作 为单元显示的部件可以是或者也可以不是物理单元, 即可以位于一个地方, 或者也可以分布到多个网络单元上。 可以根据实际的需要选择其中的部分或 者全部单元来实现本实施例方案的目的。  The units described as separate components may or may not be physically separate, and the components displayed as units may or may not be physical units, that is, may be located in one place, or may be distributed to multiple network units. Some or all of the units may be selected according to actual needs to achieve the objectives of the solution of the embodiment.
另外, 在本发明各个实施例中的各功能单元可以集成在一个处理单元中, 也可以是各个单元单独物理存在, 也可以两个或两个以上单元集成在一个单 元中。 上述集成的单元既可以采用硬件的形式实现, 也可以采用硬件加软件 功能单元的形式实现。  In addition, each functional unit in each embodiment of the present invention may be integrated into one processing unit, or each unit may exist physically separately, or two or more units may be integrated into one unit. The above integrated unit can be implemented in the form of hardware or in the form of hardware plus software functional units.
上述以软件功能单元的形式实现的集成的单元, 可以存储在一个计算机 可读取存储介质中。 上述软件功能单元存储在一个存储介质中, 包括若干指 令用以使得一台计算机设备(可以是个人计算机, 服务器, 或者网络设备等) 或处理器(processor )执行本发明各个实施例所述方法的部分步骤。 而前述的 存储介质包括: U盘、 移动硬盘、 只读存储器(Read-Only Memory, ROM ) 、 随机存取存储器 ( Random Access Memory, RAM ) 、 磁碟或者光盘等各种可 以存储程序代码的介质。 The above integrated unit implemented in the form of a software functional unit can be stored in a computer Readable in storage media. The software functional unit is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) or a processor to perform the method of various embodiments of the present invention. Part of the steps. The foregoing storage medium includes: a U disk, a mobile hard disk, a read-only memory (ROM), a random access memory (RAM), a magnetic disk, or an optical disk, and the like, which can store program code. .
本领域技术人员可以清楚地了解到, 为描述的方便和简洁, 仅以上述各 功能模块的划分进行举例说明, 实际应用中, 可以根据需要而将上述功能分 配由不同的功能模块完成, 即将装置的内部结构划分成不同的功能模块, 以 完成以上描述的全部或者部分功能。 上述描述的装置的具体工作过程, 可以 参考前述方法实施例中的对应过程, 在此不再贅述。  A person skilled in the art can clearly understand that for the convenience and brevity of the description, only the division of each functional module described above is exemplified. In practical applications, the above function assignment can be completed by different functional modules as needed, that is, the device is installed. The internal structure is divided into different functional modules to perform all or part of the functions described above. For the specific working process of the device described above, refer to the corresponding process in the foregoing method embodiment, and details are not described herein again.
最后应说明的是: 以上各实施例仅用以说明本发明的技术方案, 而非对 其限制; 尽管参照前述各实施例对本发明进行了详细的说明, 本领域的普通 技术人员应当理解: 其依然可以对前述各实施例所记载的技术方案进行修改, 或者对其中部分或者全部技术特征进行等同替换; 而这些修改或者替换, 并 不使相应技术方案的本质脱离本发明各实施例技术方案的范围。  It should be noted that the above embodiments are merely illustrative of the technical solutions of the present invention, and are not intended to be limiting; although the present invention has been described in detail with reference to the foregoing embodiments, those of ordinary skill in the art The technical solutions described in the foregoing embodiments may be modified, or some or all of the technical features may be equivalently replaced; and the modifications or substitutions do not deviate from the technical solutions of the embodiments of the present invention. range.

Claims

权 利 要 求 Rights request
1、 一种防火墙设备中检测引擎的升级方法, 其特征在于, 包括: 根据所述检测引擎的软件升级数据包生成一个新版本的第一功能组件 , 并在所述检测引擎中运行所述新版本的第一功能组件, 用以使用所述新版本 的第一功能组件对第一会话进行检测, 所述第一会话是指运行所述新版本的 第一功能组件后与所述防火墙设备新建立的会话; 1. A method for upgrading a detection engine in a firewall device, characterized by: generating a new version of the first functional component according to the software upgrade data package of the detection engine, and running the new version in the detection engine. The first functional component of the new version is used to detect the first session using the first functional component of the new version. The first session refers to a new session with the firewall device after running the first functional component of the new version. Established session;
若存在至少一个第二会话, 则使用旧版本的第一功能组件对所述第二会 话的后续报文进行检测, 直到所有所述第二会话老化为止, 所述第二会话是 指运行所述新版本的第一功能组件时已与所述防火墙设备建立的会话; If there is at least one second session, use the first functional component of the old version to detect subsequent messages of the second session until all the second sessions age. The second session refers to running the The first functional component of the new version is the session that has been established with the firewall device;
在所有所述第二会话老化后, 销毁所述旧版本的第一功能组件。 After all the second sessions are aged out, the old version of the first functional component is destroyed.
2、 根据权利要求 1所述的方法, 其特征在于, 所述在所述检测引擎中运 行所述新版本的第一功能组件之后, 还包括: 2. The method according to claim 1, characterized in that, after running the new version of the first functional component in the detection engine, it further includes:
接收报文, 根据所述报文的报文头确定所述报文属于所述第一会话的报 文, 或者属于所述第二会话的报文; Receive the message, and determine according to the message header of the message that the message belongs to the first session or the second session;
若属于所述第一会话的报文, 则应用所述新版本的第一功能组件进行检 测; 若属于所述第二会话的报文, 则应用所述旧版本的第一功能组件进行检 测。 If the message belongs to the first session, the first functional component of the new version is used for detection; if the message belongs to the second session, the first functional component of the old version is used for detection.
3、 根据权利要求 2所述的方法, 其特征在于, 所述若存在至少一个第二 会话, 则使用旧版本的第一功能组件对所述第二会话的后续报文进行检测, 直到所有所述第二会话老化为止之前, 还包括: 3. The method according to claim 2, wherein if at least one second session exists, the first functional component of the old version is used to detect subsequent messages of the second session until all Before the second session ages out, it also includes:
建立并存储旧版本的第一功能组件、 所述第二会话以及所述第二会话的 会话状态三者的对应关系, 以供对所有所述第二会话是否老化进行判断。 Establish and store the corresponding relationship between the first functional component of the old version, the second session, and the session state of the second session, so as to determine whether all the second sessions are aged.
4、 根据权利要求 3所述的方法, 其特征在于, 所述接收报文之后, 还包 括: 4. The method according to claim 3, characterized in that, after receiving the message, it further includes:
当所述 文的标志位为结束连线 FIN或连线复位 RST时, 如果所述 4艮文 所属会话为所述第二会话, 则在所述对应关系中将所述 ·艮文所属会话的会话 状态设置为老化状态。 When the flag bit of the text is the connection end FIN or the connection reset RST, if the session to which the text belongs is the second session, then the session to which the text belongs is set in the corresponding relationship. session The status is set to aging status.
5、 根据权利要求 1至 4中任一所述的方法, 其特征在于, 还包括: 若所述软件升级数据包中还包括至少一个第二功能组件的升级数据包, 则生成新版本的第二功能组件, 并在所述检测引擎中运行所述新版本的第二 功能组件。 5. The method according to any one of claims 1 to 4, further comprising: if the software upgrade data package also includes an upgrade data package of at least one second functional component, generating a new version of the second functional component. a second functional component, and run the new version of the second functional component in the detection engine.
6、 一种防火墙设备中检测引擎的升级装置, 其特征在于, 包括: 安装模块, 用于根据所述检测引擎的软件升级数据包生成一个新版本的 第一功能组件, 并在所述检测引擎中运行所述新版本的第一功能组件; 6. An upgrade device for a detection engine in a firewall device, characterized in that it includes: an installation module, configured to generate a new version of the first functional component according to the software upgrade data package of the detection engine, and install it on the detection engine Run the first functional component of the new version;
检测模块, 用于使用所述安装模块生成并运行的所述新版本的第一功能 组件对第一会话进行检测, 所述第一会话是指运行所述新版本的第一功能组 件后与所述防火墙设备新建立的会话; A detection module, configured to use the first functional component of the new version generated and run by the installation module to detect the first session, where the first session refers to the first session after running the first functional component of the new version. The newly established session of the firewall device;
所述检测模块, 还用于若存在至少一个第二会话 , 则使用旧版本的第一 功能组件对所述第二会话的后续报文进行检测, 直到所有所述第二会话老化 为止, 所述第二会话是指运行所述新版本的第一功能组件时已与所述防火墙 设备建立的会话; The detection module is also configured to, if at least one second session exists, use an old version of the first functional component to detect subsequent messages of the second session until all the second sessions age out, The second session refers to the session that has been established with the firewall device when running the first functional component of the new version;
销毁模块, 用于根据所述检测模块的触发, 在所有所述第二会话老化后, 销毁所述旧版本的第一功能组件。 A destruction module, configured to destroy the old version of the first functional component after all the second sessions have aged out according to the triggering of the detection module.
7、 根据权利要求 6所述的装置, 其特征在于, 所述装置还包括: 接收模块, 用于接收报文, 根据所述报文的报文头确定所述报文属于所 述第一会话的报文, 或者属于所述第二会话的报文; 7. The device according to claim 6, characterized in that, the device further includes: a receiving module, configured to receive a message, and determine that the message belongs to the first session according to the message header of the message. messages, or messages belonging to the second session;
所述检测模块, 还用于若属于所述第一会话的报文, 则应用所述新版本 的第一功能组件进行检测; 若属于所述第二会话的报文, 则应用所述旧版本 的第一功能组件进行检测。 The detection module is also configured to apply the first functional component of the new version for detection if the message belongs to the first session; if the message belongs to the second session, apply the old version The first functional component is detected.
8、 根据权利要求 7所述的装置, 其特征在于, 所述装置还包括: 存储模块, 用于建立并存储旧版本的第一功能组件、 所述第二会话以及 所述第二会话的会话状态三者的对应关系, 以供所述检测模块对所有所述第 二会话是否老化进行判断。 8. The device according to claim 7, wherein the device further includes: a storage module, configured to establish and store an old version of the first functional component, the second session, and the session of the second session. The corresponding relationship between the three states is used by the detection module to determine whether all the second sessions are aged.
9、 根据权利要求 8所述的装置, 其特征在于, 所述存储模块还用于: 当所述接收模块接收的所述报文的标志位为 FIN或 RST时, 如果所述报 文所属会话为所述第二会话, 则在所述对应关系中将所述 "¾文所属会话的会 话状态设置为老化状态。 9. The device according to claim 8, wherein the storage module is further configured to: when the flag bit of the message received by the receiving module is FIN or RST, if the session to which the message belongs is the second session, then in the corresponding relationship, the session state of the session to which the "text" belongs is set to the aging state.
10、 根据权利要求 6至 9中任一所述的装置, 其特征在于, 所述安装模 块还用于: 10. The device according to any one of claims 6 to 9, characterized in that the installation module is also used for:
若所述软件升级数据包中还包括至少一个第二功能组件的升级数据包, 则生成新版本的第二功能组件, 并在所述检测引擎中运行所述新版本的第二 功能组件。 If the software upgrade data package also includes an upgrade data package of at least one second functional component, a new version of the second functional component is generated, and the new version of the second functional component is run in the detection engine.
PCT/CN2014/072541 2013-08-08 2014-02-26 Method and apparatus for upgrading detection engine in firewall device WO2015018200A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201310344399.0 2013-08-08
CN201310344399.0A CN104348660B (en) 2013-08-08 2013-08-08 The upgrade method and device of detecting and alarm in firewall box

Publications (1)

Publication Number Publication Date
WO2015018200A1 true WO2015018200A1 (en) 2015-02-12

Family

ID=52460606

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2014/072541 WO2015018200A1 (en) 2013-08-08 2014-02-26 Method and apparatus for upgrading detection engine in firewall device

Country Status (2)

Country Link
CN (1) CN104348660B (en)
WO (1) WO2015018200A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10037768B1 (en) 2017-09-26 2018-07-31 International Business Machines Corporation Assessing the structural quality of conversations
CN113839882A (en) * 2021-09-26 2021-12-24 杭州迪普信息技术有限公司 Message flow splitting method and device

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106059790A (en) * 2016-05-13 2016-10-26 杭州华三通信技术有限公司 Firewall upgrading method and apparatus
CN112866238B (en) * 2021-01-15 2022-07-05 杭州迪普科技股份有限公司 Session control method and device

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040049701A1 (en) * 2002-09-05 2004-03-11 Jean-Francois Le Pennec Firewall system for interconnecting two IP networks managed by two different administrative entities
CN101122934A (en) * 2006-08-11 2008-02-13 珠海金山软件股份有限公司 Device for preventing and treating computer virus by real-time monitoring for file and its upgrading method
CN101695031A (en) * 2009-10-27 2010-04-14 成都市华为赛门铁克科技有限公司 Upgrading method and device of intrusion prevention system
CN101854334A (en) * 2009-03-30 2010-10-06 华为技术有限公司 Admission control system, device and method

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102118296B (en) * 2009-12-30 2015-05-27 华为技术有限公司 Rule base upgrading method and communication equipment
CN101938460B (en) * 2010-06-22 2014-04-09 北京中兴网安科技有限公司 Coordinated defense method of full process and full network safety coordinated defense system

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040049701A1 (en) * 2002-09-05 2004-03-11 Jean-Francois Le Pennec Firewall system for interconnecting two IP networks managed by two different administrative entities
CN101122934A (en) * 2006-08-11 2008-02-13 珠海金山软件股份有限公司 Device for preventing and treating computer virus by real-time monitoring for file and its upgrading method
CN101854334A (en) * 2009-03-30 2010-10-06 华为技术有限公司 Admission control system, device and method
CN101695031A (en) * 2009-10-27 2010-04-14 成都市华为赛门铁克科技有限公司 Upgrading method and device of intrusion prevention system

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10037768B1 (en) 2017-09-26 2018-07-31 International Business Machines Corporation Assessing the structural quality of conversations
US10297273B2 (en) 2017-09-26 2019-05-21 International Business Machines Corporation Assessing the structural quality of conversations
US10311895B2 (en) 2017-09-26 2019-06-04 International Business Machines Corporation Assessing the structural quality of conversations
US10424319B2 (en) 2017-09-26 2019-09-24 International Business Machines Corporation Assessing the structural quality of conversations
CN113839882A (en) * 2021-09-26 2021-12-24 杭州迪普信息技术有限公司 Message flow splitting method and device
CN113839882B (en) * 2021-09-26 2023-09-26 杭州迪普信息技术有限公司 Message flow splitting method and device

Also Published As

Publication number Publication date
CN104348660B (en) 2018-08-21
CN104348660A (en) 2015-02-11

Similar Documents

Publication Publication Date Title
US20190349395A1 (en) Coordinated detection and differentiation of denial of service attacks
US9769250B2 (en) Fight-through nodes with disposable virtual machines and rollback of persistent state
US8904529B2 (en) Automated deployment of protection agents to devices connected to a computer network
US9491189B2 (en) Revival and redirection of blocked connections for intention inspection in computer networks
TWI294726B (en)
US8661522B2 (en) Method and apparatus for probabilistic matching to authenticate hosts during distributed denial of service attack
CN102291441B (en) Method and security agent device for protecting against attack of synchronize (SYN) Flood
US8997201B2 (en) Integrity monitoring to detect changes at network device for use in secure network access
US10129286B2 (en) Zero day threat detection using host application/program to user agent mapping
CN111800401B (en) Service message protection method, device, system and computer equipment
CN117378174A (en) Protecting containerized applications
WO2021082834A1 (en) Message processing method, device and apparatus as well as computer readable storage medium
US20140115705A1 (en) Method for detecting illegal connection and network monitoring apparatus
ES2738106T3 (en) Processing procedure for network address translation technology, NAT device and BNG device
WO2018157626A1 (en) Threat detection method and apparatus
WO2023040303A1 (en) Network traffic control method and related system
WO2015018200A1 (en) Method and apparatus for upgrading detection engine in firewall device
US20140283057A1 (en) Tcp validation via systematic transmission regulation and regeneration
Huang et al. An authentication scheme to defend against UDP DrDoS attacks in 5G networks
KR101887544B1 (en) Sdn-based network-attacks blocking system for micro server management system protection
CN104125213A (en) Distributed denial of service DDOS attack resisting method and device for firewall
US9686311B2 (en) Interdicting undesired service
EP3133790B1 (en) Message sending method and apparatus
CN107395550B (en) Network attack defense method and server
WO2013097493A1 (en) Ips detection processing method, network security device and system

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 14834209

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 14834209

Country of ref document: EP

Kind code of ref document: A1